Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-02-08 23:57:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: escape config.userLang/acpLang, don't allow invalid language codes

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2020-01-13 12:27:50 -05:00
parent df5e3a7394
commit e06c1bfcd2
4 changed files with 35 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/user/settings.js
View File

@@ -5,6 +5,7 @@ const meta = require('../meta');
const db = require('../database');
const plugins = require('../plugins');
const notifications = require('../notifications');
const languages = require('../languages');
module.exports = function (User) {
User.getSettings = async function (uid) {
@@ -87,6 +88,13 @@ module.exports = function (User) {
throw new Error('[[error:invalid-pagination-value, 2, ' + maxTopicsPerPage + ']]');
}
const languageCodes = await languages.listCodes();
if (data.userLang && !languageCodes.includes(data.userLang)) {
throw new Error('[[error:invalid-language]]');
}
if (data.acpLang && !languageCodes.includes(data.acpLang)) {
throw new Error('[[error:invalid-language]]');
}
data.userLang = data.userLang || meta.config.defaultLang;
plugins.fireHook('action:user.saveSettings', { uid: uid, settings: data });